Claude Code Plugins

Community-maintained marketplace

Feedback

Auditing Security

@CaptainCrouton89/.claude
476
0

Identify and remediate vulnerabilities through systematic code analysis. Use when performing security assessments, pre-deployment reviews, compliance validation (OWASP, PCI-DSS, GDPR), investigating known vulnerabilities, or post-incident analysis.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name Auditing Security
description Identify and remediate vulnerabilities through systematic code analysis. Use when performing security assessments, pre-deployment reviews, compliance validation (OWASP, PCI-DSS, GDPR), investigating known vulnerabilities, or post-incident analysis.

Auditing Security

Overview

Comprehensive security analysis to identify vulnerabilities, assess risk, and provide remediation guidance aligned with industry standards (OWASP Top 10, CVSS scoring).

Inputs:

  • Codebase to audit
  • docs/system-design.md - Architecture context
  • docs/api-contracts.yaml - API specifications
  • docs/feature-spec/F-##-*.md - Feature implementations

Outputs:

  • Security findings organized by severity (CRITICAL, HIGH, MEDIUM, LOW)
  • CVSS scores and OWASP Top 10 mapping
  • Exploit scenarios and remediation code
  • Risk-prioritized remediation plan

Quick Start

Ask for security audit with context:

  • What to audit? Feature, component, or full application
  • Concerns? Injection, auth bypass, data leaks, access control, API security
  • Sensitive data? PII, credentials, financial data, health info, business secrets
  • Existing security? JWT/sessions, RBAC/ABAC, TLS, input validation, headers, rate limiting

Scope Discovery

Q1: Audit Scope

  • Specific feature or component
  • Entire application (full security audit)
  • Known vulnerability investigation
  • Compliance check (OWASP Top 10, PCI-DSS, GDPR)
  • Code review for security issues
  • Infrastructure and configuration

Q2: Threat Model

  • Data breaches and leaks
  • Authentication bypass
  • Injection attacks (SQL, XSS, command)
  • Access control failures
  • API security
  • Infrastructure vulnerabilities
  • Dependency vulnerabilities

Q3: Sensitivity Level

  • Personal identifiable information (PII)
  • Authentication credentials
  • Financial data (payment info, transactions)
  • Health information (HIPAA)
  • Business secrets or proprietary data
  • User-generated content

Q4: Existing Security (optional)

  • Authentication method (JWT, sessions, OAuth)
  • Authorization model (RBAC, ABAC)
  • Encryption (TLS, at-rest encryption)
  • Input validation and sanitization
  • Security headers (CSP, HSTS, etc.)
  • Rate limiting and throttling
  • Logging and monitoring

Security Review Strategy

Sequential Review (Targeted audits)

When to use: Small codebase, single vulnerability investigation, specific attack vector, <5 files

Review vulnerabilities one area at a time using direct tools:

Injection Vulnerabilities:

  • SQL injection: String concatenation in queries (db.query("SELECT * FROM users WHERE id = '" + id + "'"))
  • XSS: dangerouslySetInnerHTML, unsanitized HTML (.innerHTML = userInput)
  • Command injection: Shell command construction (exec('rm ' + filename))
  • NoSQL injection, LDAP injection
  • Search for: db.query(, eval(, exec(, .innerHTML

Authentication/Authorization:

  • Endpoints without auth checks
  • Weak password requirements
  • Missing rate limiting on auth endpoints
  • Session management issues
  • Broken access control, privilege escalation
  • Search for: route handlers, auth middleware, permission checks

Sensitive Data Exposure:

  • Hardcoded secrets: API keys, passwords, tokens
  • Excessive data in API responses
  • Logging sensitive information
  • Unencrypted transmission
  • Insecure storage
  • Search for: apiKey, password, secret, token assignments

Security Misconfiguration:

  • Missing security headers (CSP, HSTS, X-Frame-Options)
  • CORS misconfiguration
  • Verbose error messages exposing internals
  • Default credentials
  • Debug mode in production
  • Search for: server config, error handlers, CORS setup

Dependency Vulnerabilities:

  • Run npm audit or equivalent
  • Check for outdated packages with CVEs
  • Unnecessary dependencies, supply chain risks

Parallel Scanning (Comprehensive audits)

When to use: Entire application, multiple OWASP categories, >1000 lines, multiple attack surfaces

Agent 1: Injection (OWASP A03) SQL, XSS, command, NoSQL, LDAP injection vulnerabilities

Agent 2: Authentication/Authorization (OWASP A01, A07) Missing auth, weak passwords, broken sessions, access control failures, privilege escalation

Agent 3: Data Exposure (OWASP A02) Hardcoded secrets, excessive API responses, logging sensitive data, unencrypted transmission, insecure storage

Agent 4: Configuration (OWASP A05) Missing security headers, CORS misconfiguration, verbose errors, default credentials, unnecessary services

Agent 5: Dependencies (OWASP A06) Vulnerable packages, outdated versions, supply chain risks

Finding Documentation Format

For each vulnerability:

### [SEVERITY] Issue Name
**CVSS Score:** X.X | **Category:** OWASP A##:YEAR | **Location:** `src/path/file.js:123`

**Vulnerable Code:**
[Code snippet]

**Exploit Scenario:**
[Concrete example of how to abuse this]

**Impact:**
[What attacker can achieve: data access, auth bypass, system compromise, etc.]

**Fix:**
[Secure replacement code]

**References:**
- OWASP: [link]
- CWE-##: [link]

Severity Mapping:

  • 🔴 CRITICAL (CVSS 9.0-10.0): Fix immediately, authentication bypass, full database access, RCE
  • 🔴 HIGH (CVSS 7.0-8.9): Fix within days, data exfiltration, significant privilege escalation
  • 🟡 MEDIUM (CVSS 4.0-6.9): Fix within weeks, partial data access, limited auth bypass
  • 🟢 LOW (CVSS 0.1-3.9): Fix within months, information disclosure, minor config issues

Security Audit Report

Generate comprehensive report with:

# Security Audit Report: [System Name]

## Executive Summary
**Overall Security Posture:** [CRITICAL / POOR / FAIR / GOOD / EXCELLENT]

**Vulnerability Summary:**
- CRITICAL: [X] (CVSS 9.0-10.0)
- HIGH: [Y] (CVSS 7.0-8.9)
- MEDIUM: [Z] (CVSS 4.0-6.9)
- LOW: [N] (CVSS 0.1-3.9)

**Immediate Actions Required:**
1. [Most critical issue]
2. [Second priority]

## OWASP Top 10 Assessment
| Category | Status | Findings | Priority |
|----------|--------|----------|----------|
| A01: Broken Access Control | ✅/⚠️/❌ | [count] | - |
| A02: Cryptographic Failures | ✅/⚠️/❌ | [count] | - |
| A03: Injection | ✅/⚠️/❌ | [count] | - |
| [Continue for all 10] | | | |

## Findings by Severity
[CRITICAL vulnerabilities]
[HIGH vulnerabilities]
[MEDIUM vulnerabilities]
[LOW vulnerabilities]

## Remediation Plan
### Immediate (24 hours)
[Critical and high-severity fixes]

### Short-term (1 week)
[Medium-severity fixes]

### Medium-term (1 month)
[Low-severity fixes, hardening]

## Verification Checklist
- [ ] Re-run security scans on fixed code
- [ ] Verify each vulnerability is closed
- [ ] Run `npm audit` on dependencies
- [ ] Test fixes don't break functionality
- [ ] Add security regression tests

Security Check Reference

Injection:

  • SQL queries use parameterization (prepared statements, ORM)
  • HTML output is sanitized (DOMPurify, escaped)
  • No dynamic command execution (exec, spawn with user input)
  • No eval() or similar code execution

Authentication:

  • Password requirements adequate (12+ chars, complexity)
  • All sensitive endpoints have auth checks
  • Session management secure (httpOnly, secure cookies)
  • Rate limiting on auth endpoints (5 attempts/min max)
  • Credentials hashed with bcrypt/argon2, not plaintext

Data Exposure:

  • No hardcoded secrets (use environment variables)
  • API responses don't leak unnecessary data
  • Sensitive data not in logs
  • HTTPS/TLS enforced everywhere
  • Sensitive data encrypted at rest (AES-256)

Configuration:

  • Security headers present (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
  • CORS properly configured (not *, validate origins)
  • Error messages don't expose internals
  • No default credentials
  • Debug mode disabled in production

Dependencies:

  • No known vulnerabilities (run npm audit)
  • Packages up to date
  • No unnecessary dependencies

Remediation Workflow

  1. Fix each vulnerability following documented code examples
  2. Verify immediately - re-run security scans, test functionality
  3. Document resolution - mark findings as fixed with verification method
  4. Run dependency audit - npm audit, update packages
  5. Test regression - ensure fixes don't break features
  6. Update docs - document security measures implemented

Examples

Example 1: SQL Injection Finding

### [CRITICAL] SQL Injection in User Login
**CVSS Score:** 9.8 | **Category:** OWASP A03:2021 | **Location:** `src/auth/login.js:45`

**Vulnerable Code:**
const query = `SELECT * FROM users WHERE email = '${email}'`;
const user = await db.query(query);

**Exploit Scenario:**
Attacker sends: email = "admin' OR '1'='1"
→ Returns all users, bypasses authentication, gains admin access

**Impact:**
- Complete authentication bypass
- Full database access
- Data exfiltration and manipulation

**Fix:**
const query = 'SELECT * FROM users WHERE email = ?';
const user = await db.query(query, [email]);

Example 2: Hardcoded Secrets Finding

### [CRITICAL] Hardcoded API Key
**CVSS Score:** 9.6 | **Category:** OWASP A02:2021 | **Location:** `src/config.js:12`

**Vulnerable Code:**
const apiKey = "sk-1234567890abcdef";

**Impact:**
- Unauthorized API access
- Billing liability
- Data access under victim's account

**Fix:**
const apiKey = process.env.API_KEY;
// Store in .env: API_KEY=sk-1234567890abcdef